Defenses against various types of malware attacks and application exploits have been developed to protect servers and client computers against malicious attacks over data networks, such as the Internet. Such attacks can result and have resulted in major financial losses to large and small companies as well as to individuals.
Servers can attack browsers, and browsers can attack servers. In turn, malware may be directed against a browser from a server that has been compromised by malware. Scanning worms can generate attacks against servers. Web servers are attacked for a variety of reasons. For example, hackers can attempt to steal information, e.g., the customer list of a company; hackers can attempt to deface a server, such as the server of a prominent bank to make a political or other statement or to further a political or other agenda, hackers can attempt to hack into a server to use the server as an intermediate hop or node to gain access inside a corporate network, to use the server as a zombie in a DDoS attack, to use the server in a subsequent attack against a client computer that accesses the server, and the like. For example, a foreign state has been accused of being behind the Zero Day attack against a website of the Counsel of Foreign Relations, whose ultimate target were clients who visited the website.
For example, one common type of attack against a server is an SQL injection attack, in which a malicious command is injected into a field where the server does not expect such a command. By way of illustration, a semicolon, or other string escape character, can be added by a user in a field of an on-line form in which the server does not expect to receive a semicolon. The text following the semicolon can then be treated by the server as one or more commands that destroy data, provide access to data, or cause other processing by the server that is considered malicious. Also, the text entered in the field may be incorrectly handled by the server for other reasons. Further, the malicious command may not be executed immediately by the server and may be stored as valid SQL, and later another part of the application or a second application may execute the stored statement (“second order SQL attack”).
Some existing and known defenses against malware include an anomaly detector to decide whether data received by a server is of a type that the server expects to receive. Some vendors run suspect information received by a server or by a client computer on an offsite virtual machine farm, and thus can monitor execution of the communications received to determine the presence of malicious software.
Each related patent document, patent application publication, and reference on the following list is incorporated in full herein by reference:
U.S. Pat. No. 8,949,965, Securely virtualizating network services; U.S. Pat. No. 8,935,782, Malware detection via network information flow theories; U.S. Pat. No. 8,924,954, Application software installation method and application software installation apparatus; U.S. Pat. No. 8,924,571, Methods and systems for providing to virtual machines, via a designated wireless local area network driver, access to data associated with a connection to a wireless local area network; U.S. Pat. No. 8,881,282, Systems and methods for malware attack detection and identification; U.S. Pat. No. 8,869,144, Managing forwarding of input events in a virtualization environment to prevent keylogging attacks; U.S. Pat. No. 8,811,970; Virtual instance architecture for mobile device management systems; U.S. Pat. No. 8,751,629, Systems and methods for automated building of a simulated network environment; U.S. Pat. No. 8,689,333, Malware defense system and method; U.S. Pat. No. 8,689,213, Methods and systems for communicating between trusted and non-trusted virtual machines; U.S. Pat. No. 8,661,436. Dynamically controlling virtual machine access to optical disc drive by selective locking to a transacting virtual machine determined from a transaction stream of the drive; U.S. Pat. No. 8,650,565, Servicing interrupts generated responsive to actuation of hardware, via dynamic incorporation of ACPI functionality into virtual firmware; U.S. Pat. No. 8,646,028; Methods and systems for allocating a USB device to a trusted virtual machine or a non-trusted virtual machine; U.S. Pat. No. 8,627,456, Methods and systems for preventing access to display graphics generated by a trusted virtual machine; U.S. Pat. No. 8,626,147, Virtual instance architecture for mobile device management systems; U.S. Pat. No. 8,584,239, Virtual machine with dynamic data flow analysis; U.S. Pat. No. 8,578,497, Method and system for detecting malware; U.S. Pat. No. 8,566,928, Method and system for detecting and responding to attacking networks; U.S. Pat. No. 8,533,305, System and method for adapting a system configuration of a first computer system for hosting on a second computer system; U.S. Pat. No. 8,532,970, Systems and methods for network monitoring and analysis of a simulated network; U.S. Pat. No. 8,516,593, Systems and methods for computer worm defense; U.S. Pat. No. 8,453,144, System and method for adapting a system configuration using an adaptive library; U.S. Pat. No. 8,418,176, System and method for adapting virtual machine configurations for hosting across different hosting systems; U.S. Pat. No. 8,396,465, Virtual instance architecture for mobile device management systems; U.S. Pat. No. 8,375,444, Dynamic signature creation and enforcement; U.S. Pat. No. 8,340,633, Mobile activity intelligence; U.S. Pat. No. 8,291,499, Policy based capture with replay to virtual machine; U.S. Pat. No. 8,219,653, System and method for adapting a system configuration of a first computer system for hosting on a second computer system; U.S. Pat. No. 8,171,553, Heuristic based capture with replay to virtual machine; U.S. Pat. No. 8,086,836, Method and apparatus for virtualization of appliances; U.S. Pat. No. 8,060,074, Virtual instance architecture for mobile device management systems; 20140282586, Purposeful computing; 20140223560, Malware detection via network information flow theories; 20140109180, Methods and systems for preventing access to display graphics generated by a trusted virtual machine; 20140109091, Device virtualization; 20140101754, Methods and systems for allocating a usb device to a trusted virtual machine or a non-trusted virtual machine; 20140087712, Virtual instance architecture for mobile device management systems; 20140081984, Systems and methods for scalable delocalized information governance; 20140046645, Systems and methods for network monitoring and analysis of a simulated network; 20140046644, Systems and methods for network monitoring and analysis of a simulated network; 20130325873, Systems and methods for load balancing by secondary processors in parallelized indexing; 20130217378, Virtual instance architecture for mobile device management systems; 20130143522, Mobile activity intelligence; 20130132942, Application software installation method and application software installation apparatus; 20130047257, Systems and Methods for Computer Worm Defense; 20130036472, Computer Worm Defense System and Method; 20120331553, Dynamic signature creation and enforcement; 20120179916, Systems and methods for securing virtual machine computing environments; 20120174186, Policy Based Capture with Replay to Virtual Machine; 20120131591, Method and apparatus for clearing cloud compute demand; 20120015644, Virtual Instance Architecture for Mobile Device Management Systems; 20110145916, Methods and systems for preventing access to display graphics generated by a trusted virtual machine; 20110145886, Methods and systems for allocating a usb device to a trusted virtual machine or a non-trusted virtual machine; 20110145821, Methods and systems for communicating between trusted and non-trusted virtual machines; 20110145820, Methods and systems for managing injection of input data into a virtualization environment; 20110145819, Methods and systems for controlling virtual machine access to an optical disk drive; 20110145458, Methods and systems for servicing interrupts generated responsive to actuation of hardware, via virtual firmware; 20110145418, Methods and systems for providing to virtual machines, via a designated wireless local area network driver, access to data associated with a connection to a wireless local area network; 20110141124, Methods and systems for securing sensitive information using a hypervisor-trusted client; 20090320137, Systems and methods for a simulated network attack generator; 20090319906, Systems and methods for reconstitution of network elements in a simulated network; 20090319647, Systems and methods for automated building of a simulated network environment; 20090319249, Systems and methods for network monitoring and analysis of a simulated network; 20090319248, Systems and methods for a simulated network traffic generator; 20090319247, Systems and Methods for A Simulated Network Environment and Operation Thereof; 20090113535, Securely Virtualizing Network Services; 20090036111, Virtual Instance Architecture for Mobile Device Management Systems; 20080320295, Method and apparatus for virtualization of appliances; 20080126785, Method and apparatus for virtualization of appliances; 20080005782, Heuristic based capture with replay to virtual machine; 20070294676, Open virtual appliance; 20070250930, Virtual machine with dynamic data flow analysis; Arbatov, Evgeniy. “Development of Hybrid Honeynet for Malware Analysis.” (2010); Krister, Kris Mikael. “Automated Analyses of Malicious Code.” (2009); Wimmer, Martin. “Virtual security.” In 1st Conference on Computer Security Incident Handling, vol. 20. 2008; Crandall, Jedidiah Richard. “Capturing and analyzing Internet worms.” PhD diss., University of California, Davis, 2007; Slowinska, Asia, Georgios Portokalidis, and Herbert Bos. Prospector: a protocol-specific detector of polymorphic buffer overflows. Technical Report IR<CS<023 [note: superceded by TR IR<CS<031]Vrige Universiteit Amsterdam, 2006; Al-Saleh, Mohammed I. “Fine-grained reasoning about the security and usability trade-off in modern security tools.” (2011); Willems, Christian, Wesam Dawoud, Thomas Klingbeil, and Christoph Meinel. “Security in Tele-Lab—Protecting an online virtual lab for security training.” In Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference for, pp. 1-7. IEEE, 2009; Director, Test Team, John Hawes, Anti-Spam Test Director, Martijn Grooten, Sales Executive, and Allison Sketchley. “Happy Holidays: Mobile Maliciousness.” (2009); Willems, Christian, Wesam Dawoud, Thomas Klingbeil, and Christoph Meinel. “Protecting Tele-Lab—attack vectors and countermeasures for a remote virtual IT security lab.” International Journal of Digital Society 1, no. 2 (2010): 113-122; Donatelli, Susanna, Eric Alata, Joao Antunes, Mohamed Kaâniche, Nuno Ferreira Neves, and Paulo Verissimo. “Experimental validation of architectural solutions.” (2008); Schiffman, Joshua Serratelli. “Practical system integrity verification in cloud computing environments.” PhD diss., The Pennsylvania State University, 2012; Truhan, Nathan D. “Intrusion Detection for 0-Day Vulnerabilities.” PhD diss., Kent State University, 2011; Franceschinis, Giuliana, Eric Alata, Joao Antunes, Hakem Beitollah, Alysson Neves Bessani, Miguel Correia, Wagner Dantas et al. “Experimental validation of architectural solutions.” (2009); Bianchi, Antonio. “Blacksheep: a tool for kernel rootkit detection, based on physical memory crowdsourced analysis.” PhD diss., Politecnico di Milano, 2012; Aliari Zonouz, Saman. “Game-theoretic intrusion response and recovery.” PhD diss., University of Illinois at Urbana-Champaign, 2012; Locasto, Michael E. “Integrity Postures for Software Self—Defense.” PhD diss., Columbia University, 2008; Rossow, Christian. “Using Malware Analysis to Evaluate Botnet Resilience.” PhD diss., Phd Thesis, 2013.